kubernetes - 证书经理证书链

Question

I want to setup a wildcard domain certificate on a kubernetes cluster.

I got a crt/key pair, and an intermediate crt from my CA

I've created a Secret referencing the crt/key pair (I've tried with and without the intermediate crt)

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
  name: wildcard-key-pair
type: kubernetes.io/tls

Then I've created a Certificate and the related Issuer, using cert-manager and following their documentation from https://docs.cert-manager.io/en/latest/tasks/issuers/setup-ca.html

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: wildcard-issuer
  namespace: default
spec:
  ca:
    secretName: wildcard-key-pair
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: wildcard
  namespace: default
spec:
  secretName: wildcard-tls-secret
  dnsNames:
    - '*.example.com'
    - example.com
  commonName: '*.example.com'
  organization:
    - example
  issuerRef:
    name: wildcard-issuer
    kind: Issuer

But when I describe my certificate, using kubectl, I get the following error :

Error getting keypair for CA issuer: certificate is not a CA

I'm kind of confused about the whole process of getting my wildcard dns working on my kubernetes cluster, so if you have any idea that could point me in the right direction don't hesitate to share your thoughts.

Answer 1

as @johnharris85 mentioned, make sure your certificate has CA flag as true if you are using yours. You can check it via

$ openssl x509 -text -noout -in ca.crt |grep "CA:"

Output should be CA:TRUE .

Hope it helps!